Prevent SQL Injection with Spark 4.5

Hi,

Refer to the code in Core.cs line 312. Could there be a potential security vulnerability with the raw SQL statement supplied? Other than supply data through Parameters, are there anyway to further reduce the risk of SQL injection with raw SQL statement?

The CreateCommand method you refer to is a private helper which cannot be called directly. It accepts a parameterized SQL statement and parameters which are used to setup parameterized queries. There is no vulnerability.

All SQL in Spark consists of parameterized queries (also called prepared statements) which is the most important way for .NET developers to prevent SQL Injection.

However, parameterizing your queries is not the only tool available in our toolbox. In general it is good practice to have additional safeguards, by using whitelists, blacklists, regular expressions, etc -- essentially all user entries are checked and validated before they get sent down to be used as parameters or to setup SQL.